.oO Phrack 49 Oo.
Volume Seven, Issue Forty-Nine
16 of 16
PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN
PWN PWN
PWN Phrack World News PWN
PWN PWN
PWN Issue 49 PWN
PWN PWN
PWN Compiled by DisordeR PWN
PWN PWN
PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN
Phrack World News #49 -- Index
01. CIA attacked, pulls plug on Internet site
02. Letter From Senator Patrick Leahy (D-VT) on Encryption
03. Java Black Widows - Sun Declares War
04. Jacking in from the "Smoked Filled Room" Port
05. Panix Attack
06. Massive Usenet Cancels
07. Mitnick Faces 25 More Federal Counts of Computer Hacking
08. Hacker is freed but he's banned from computers
09. Computer Hacker Severely Beaten after Criticizing Prison Conditions
Target of Campaign by U.S. Secret Service
10. Bernie S. Released!
11. <The Squidge Busted>
12. School Hires Student to Hack Into Computers
13. Paranoia and Brit Hackers Fuel Infowar Craze in Spy Agencies
14. Hackers Find Cheap Scotland Yard Phone Connection
15. U.S. Official Warns OF "Electronic Pearl Harbor"
16. Suit Challenges State's Restraint of the Internet Via AP
17. U.S. Government Plans Computer Emergency Response Team
18. Hackers $50K challenge to break Net security system
19. Criminal cult begins PGP crack attempt
20. Hackers Bombard Internet
21. Crypto Mission Creep
22. Hacker posts nudes on court's Web pages
23. Hacking Into Piracy
24. Revealing Intel's Secrets
25. Internet Boom Puts Home PCs At Risk Of Hackers
26. Computer hacker Mitnick pleads innocent
27. Hackers Destroy Evidence of Gulf War Chemical/Biological Weapons
28. Criminals Slip Through The Net
[=-------------------------------------------------------------------------=]
title: CIA attacked, pulls plug on Internet site
author: unknown
source: Reuter
WASHINGTON (Reuter) - The Central Intelligence Agency, that bastion of
spy technology and computer wizardry, pulled the plug on its World
Wide Web site on the Internet Thursday after a hacker broke in and
replaced it with a crude parody.
CIA officials said their vandalized homepage -- altered to read
"Welcome to the Central Stupidity Agency" -- was in no way linked to
any mainframe computers containing classified national security
information.
[* Excuse me for a minute while my erection goes down. *]
The site was tampered with Wednesday evening and the CIA closed it
Thursday morning while a task force looked into the security breach,
CIA spokeswoman Jane Heishman said. Part of the hacker's text read
"Stop Lying."
"It's definitely a hacker" who pierced the system's security, she
said. "The agency has formed a task force to look into what happend
and how to prevent it."
[* No shit?! It was a hacker that did that? *]
The CIA web site (http://www.odci.gov/cia) showcases unclassified
information including spy agency press releases, officials' speeches,
historical rundowns and the CIA's World Fact Book, a standard
reference work.
The cyber-attack matched one that forced the Justice Department to
close its Web site last month after hackers inserted a swastika and
picture of Adolph Hitler. The penetration of the CIA homepage
highlighted the vulnerability of Internet sites designed to attract
the public and drove home the need for multiple layers of security.
"You want people to visit, you want them to interact, but you don't
want them to leave anything behind," said Jon Englund of the
Information Technology Association of America, a trade group of
leading software and telecommunications firms.
[=-------------------------------------------------------------------------=]
From: Senator_Leahy@LEAHY.SENATE.GOV
Date: Thu, 02 May 96 12:04:07 EST
-----BEGIN PGP SIGNED MESSAGE-----
LETTER FROM SENATOR PATRICK LEAHY (D-VT) ON ENCRYPTION
May 2, 1996
Dear Friends:
Today, a bipartisan group of Senators has joined me in supporting
legislation to encourage the development and use of strong,
privacy-enhancing technologies for the Internet by rolling back
the out-dated restrictions on the export of strong cryptography.
In an effort to demonstrate one of the more practical uses of
encryption technology (and so that you all know this message
actually came from me), I have signed this message using a
digital signature generated by the popular encryption program
PGP. I am proud to be the first member of Congress to utilize
encryption and digital signatures to post a message to the
Internet.
[* The first?! We're doomed!! *]
As a fellow Internet user, I care deeply about protecting
individual privacy and encouraging the development of the Net as
a secure and trusted communications medium. I do not need to
tell you that current export restrictions only allow American
companies to export primarily weak encryption technology. The
current strength of encryption the U.S. government will allow out
of the country is so weak that, according to a January 1996 study
conducted by world-renowned cryptographers, a pedestrian hacker
can crack the codes in a matter of hours! A foreign intelligence
agency can crack the current 40-bit codes in seconds.
[* That should read "As a fellow Internet user ..who doesn't read
his own mail... *]
Perhaps more importantly, the increasing use of the Internet and
similar interactive communications technologies by Americans to
obtain critical medical services, to conduct business, to be
entertained and communicate with their friends, raises special
concerns about the privacy and confidentiality of those
communications. I have long been concerned about these issues,
and have worked over the past decade to protect privacy and
security for our wire and electronic communications. Encryption
technology provides an effective way to ensure that only the
people we choose can read our communications.
I have read horror stories sent to me over the Internet about how
human rights groups in the Balkans have had their computers
confiscated during raids by security police seeking to find out
the identities of people who have complained about abuses.
Thanks to PGP, the encrypted files were undecipherable by the
police and the names of the people who entrusted their lives to
the human rights groups were safe.
The new bill, called the "Promotion of Commerce On-Line in the
Digital Era (PRO-CODE) Act of 1996," would:
o bar any government-mandated use of any particular
encryption system, including key escrow systems and affirm
the right of American citizens to use whatever form of
encryption they choose domestically;
[* Thank you for permission to do that.. even though it is legal already *]
o loosen export restrictions on encryption products so
that American companies are able to export any generally
available or mass market encryption products without
obtaining government approval; and
[* Loosen? Why not abolish? *]
o limit the authority of the federal government to set
standards for encryption products used by businesses and
individuals, particularly standards which result in products
with limited key lengths and key escrow.
This is the second encryption bill I have introduced with Senator
Burns and other congressional colleagues this year. Both bills
call for an overhaul of this country's export restrictions on
encryption, and, if enacted, would quickly result in the
widespread availability of strong, privacy protecting
technologies. Both bills also prohibit a government-mandated key
escrow encryption system. While PRO-CODE would limit the
authority of the Commerce Department to set encryption standards
for use by private individuals and businesses, the first bill we
introduced, called the "Encrypted Communications Privacy Act",
S.1587, would set up stringent procedures for law enforcement to
follow to obtain decoding keys or decryption assistance to read
the plaintext of encrypted communications obtained under court
order or other lawful process.
It is clear that the current policy towards encryption exports is
hopelessly outdated, and fails to account for the real needs of
individuals and businesses in the global marketplace. Encryption
expert Matt Blaze, in a recent letter to me, noted that current
U.S. regulations governing the use and export of encryption are
having a "deleterious effect ... on our country's ability to
develop a reliable and trustworthy information infrastructure."
The time is right for Congress to take steps to put our national
encryption policy on the right course.
I am looking forward to hearing from you on this important issue.
Throughout the course of the recent debate on the Communications
Decency Act, the input from Internet users was very valuable to
me and some of my Senate colleagues.
You can find out more about the issue at my World Wide Web home
page (http://www.leahy.senate.gov/) and at the Encryption Policy
Resource Page (http://www.crypto.com/). Over the coming months, I
look forward to the help of the Net community in convincing other
Members of Congress and the Administration of the need to reform
our nation's cryptography policy.
Sincerely,
Patrick Leahy
United States Senator
[=-------------------------------------------------------------------------=]
title: JAVA BLACK WIDOWS - SUN DECLARES WAR
author: unknown
from: staff@hpp.com
Sun Microsystems' has declared war on Black Widow Java
applets on the Web. This is the message from Sun in response
to an extensive Online Business Consultant (OBC/May 96)
investigation into Java security.
OBC's investigation and report was prompted after renowned
academics, scientists and hackers announced Java applets
downloaded from the WWW presented grave security risks for
users. Java Black Widow applets are hostile, malicious traps set
by cyberthugs out to snare surfing prey, using Java as their technology.
OBC received a deluge of letters asking for facts after OBC
announced a group of scientists from Princeton University, Drew
Dean, Edward Felten and Dan Wallach, published a paper declaring
"The Java system in its current form cannot easily be made secure."
The paper can be retrieved at
http://www.cs.princeton.edu/sip/pub/secure96.html.
Further probing by OBC found that innocent surfers on the Web who
download Java applets into Netscape's Navigator and Sun's
HotJava browser, risk having "hostile" applets interfere with their
computers (consuming RAM and CPU cycles). It was also discovered
applets could connect to a third party on the Internet and, without the
PC owner's knowledge, upload sensitive information from the user's
computer. Even the most sophisticated firewalls can be penetrated . . .
"because the attack is launched from behind the firewall," said the
Princeton scientists.
One reader said, "I had no idea that it was possible to stumble on
Web sites that could launch an attack on a browser." Another said,
"If this is allowed to get out of hand it will drive people away from the
Web. Sun must allay fears."
[* Faster connections if people are driven from the web.. hmm... :) *]
The response to the Home Page Press hostile applet survey led to the
analogy of Black Widow; that the Web was a dangerous place where
"black widows" lurked to snare innocent surfers. As a result the
Princeton group and OBC recommended users should "switch off"
Java support in their Netscape Navigator browsers. OBC felt that Sun
and Netscape had still to come clean on the security issues. But
according to Netscape's Product Manager, Platform, Steve Thomas,
"Netscape wishes to make it clear that all known security problems with
the Navigator Java and JavaScript environment are fixed in Navigator
version 2.02."
However, to date, Netscape has not answered OBC's direct questions
regarding a patch for its earlier versions of Navigator that supported
Java . . . the equivalent of a product recall in the 3D world. Netscape
admits that flaws in its browsers from version 2.00 upwards were
related to the Java security problems, but these browsers are still in use
and can be bought from stores such as CompUSA and Cosco. A floor
manager at CompUSA, who asked not to be named, said "its news to
him that we are selling defective software. The Navigator walks off our
floor at $34 a pop."
OBC advised Netscape the defective software was still selling at
software outlets around the world and asked Netscape what action was
going to be taken in this regard. Netscape has come under fire recently
for its policy of not releasing patches to software defects; but rather
forcing users to download new versions. Users report this task to be a
huge waste of time and resources because each download consists of
several Mbytes. As such defective Navigators don't get patched.
OBC also interviewed Sun's JavaSoft security guru, Ms. Marianne Mueller,
who said "we are taking security very seriously and working on it very
hard." Mueller said the tenet that Java had to be re-written from scratch or
scrapped "is an oversimplification of the challenge of running executable
content safely on the web. Security is hard and subtle, and trying to build
a secure "sandbox" [paradigm] for running untrusted downloaded applets
on the web is hard."
Ms. Mueller says Sun, together with their JavaSoft (Sun's Java division)
partners, have proposed a "sandbox model" for security in which "we
define a set of policies that restrict what applets can and cannot do---these
are the boundaries of the sandbox. We implement boundary checks---when
an applet tries to cross the boundary, we check whether or not it's allowed
to. If it's allowed to, then the applet is allowed on its way. If not, the
system throws a security exception.
"The 'deciding whether or not to allow the boundary to be crossed' is the
research area that I believe the Princeton people are working on," said
Mueller. "One way to allow applets additional flexibility is if the applet
is signed (for example, has a digital signature so that the identity of the
applet's distributor can be verified via a Certificate Authority) then allow
the applet more flexibility.
"There are two approaches: One approach is to let the signed applet
do anything. A second approach is to do something more complex and
more subtle, and only allow the applet particular specified capabilities.
Expressing and granting capabilities can be done in a variety of ways.
"Denial of service is traditionally considered one of the hardest security
problems, from a practical point of view. As [Java's creator] James
Gosling says, it's hard to tell the difference between an MPEG
decompressor and a hostile applet that consumes too many resources!
But recognizing the difficulty of the problem is not the same as 'passing
the buck.' We are working on ways to better monitor and control the
use (or abuse) of resources by Java classes. We could try to enforce
some resource limits, for example. These are things we are investigating.
"In addition, we could put mechanisms in place so that user interface
people (like people who do Web browsers) could add 'applet monitors'
so that browser users could at least see what is running in their browser,
and kill off stray applets. This kind of user interface friendliness (letting
a user kill of an applet) is only useful if the applet hasn't already grabbed
all the resources, of course."
The experts don't believe that the problem of black widows and hostile
applets is going to go away in a hurry. In fact it may get worse. The
hackers believe that when Microsoft releases Internet Explorer 3.00 with
support for Java, Visual Basic scripting and the added power of its
ActiveX technology, the security problem will become worse.
"There is opportunity for abuse, and it will become an enormous
problem," said Stephen Cobb, Director of Special Projects for the
National Computer Security Association (NCSA). "For example, OLE
technology from Microsoft [ActiveX] has even deeper access to a
computer than Java does."
JavaSoft's security guru Mueller agreed on the abuse issue: "It's going
to be a process of education for people to understand the difference
between a rude applet, and a serious security bug, and a theoretical
security bug, and an inconsequential security-related bug. In the case of
hostile applets, people will learn about nasty/rude applet pages, and
those pages won't be visited. I understand that new users of the Web
often feel they don't know where they're going when they point and click,
but people do get a good feel for how it works, pretty quickly, and I
actually think most users of the Web can deal with the knowledge that
not every page on the web is necessarily one they'd want to visit.
Security on the web in some sense isn't all that different from security
in ordinary life. At some level, common sense does come into play.
"Many people feel that Java is a good tool for building more secure
applications. I like to say that Java raises the bar for security on the
Internet. We're trying to do something that is not necessarily easy, but
that doesn't mean it isn't worth trying to do. In fact it may be worth
trying to do because it isn't easy. People are interested in seeing the
software industry evolve towards more robust software---that's the
feedback I get from folks on the Net."
# # #
The report above may be reprinted with credit provided as follows:
Home Page Press, Inc., http://www.hpp.com and Online Business ConsultantOE
Please refer to the HPP Web site for additional information about Java and
OBC.
[=-------------------------------------------------------------------------=]
title: Jacking in from the "Smoked Filled Room" Port
author: "Brock N. Meeks" <brock@well.com>
source: CyberWire Dispatch // September // Copyright (c) 1996 //
Washington, DC -- Federal provisions funding the digital telephony bill
and roving wiretaps, surgically removed earlier this year from an
anti-terrorism bill, have quietly been wedged into a $600 billion
omnibus spending bill.
The bill creates a Justice Department "telecommunications carrier
compliance fund" to pay for the provisions called for in the digital
telephony bill, formally known as the Communications Assistance in Law
Enforcement Act (CALEA). In reality, this is a slush fund.
Congress originally budgeted $500 million for CALEA, far short of the
billions actually needed to build in instant wiretap capabilities into
America's telephone, cable, cellular and PCS networks. This bill now
approves a slush fund of pooled dollars from the budgets of "any agency"
with "law enforcement, national security or intelligence
responsibilities." That means the FBI, CIA, NSA and DEA, among others,
will now have a vested interest in how the majority of your
communications are tapped.
The spending bill also provides for "multipoint wiretaps." This is the
tricked up code phase for what amounts to roving wiretaps. Where the
FBI can only tap one phone at a time in conjunction with an
investigation, it now wants the ability to "follow" a conversation from
phone to phone; meaning that if your neighbor is under investigation and
happens to use your phone for some reason, your phone gets tapped. It
also means that the FBI can tap public pay phones... think about that
next time you call 1-800-COLLECT.
In addition, all the public and congressional accountability provisions
for how CALEA money was spent, which were in the original House version
(H.R. 3814), got torpedoed in the Senate Appropriations Committee.
Provisions stripped out by the Senate:
-- GONE: Money isn't to be spent unless an implementation plan is sent
to each member of the Judiciary Committee and Appropriations committees.
-- GONE: Requirement that the FBI provide public details of how its new
wiretap plan exceeds or differs from current capabilities.
-- GONE: Report on the "actual and maximum number of simultaneous
surveillance/intercepts" the FBI expects. The FBI ran into a fire storm
earlier this year when it botched its long overdue report that said it
wanted the capability to tap one out of every 100 phones
*simultaneously*. Now, thanks to this funding bill, rather than having
to defend that request, it doesn't have to say shit.
-- GONE: Complete estimate of the full costs of deploying and
developing the digital wiretapping plan.
-- GONE: An annual report to Congress "specifically detailing" how all
taxpayer money -- YOUR money -- is spent to carry out these new wiretap
provisions.
"No matter what side you come down on this (digital wiretapping) issue,
the stakes for democracy are that we need to have public accountability,"
said Jerry Berman, executive director of the Center for Democracy and
Technology.
Although it appeared that no one in congress had the balls to take on
the issue, one stalwart has stepped forward, Rep. Bob Barr (R-Ga.). He
has succeeded in getting some of the accountability provisions back into
the bill, according to a Barr staffer. But the fight couldn't have been
an easy one. The FBI has worked congress relentlessly in an effort to
skirt the original reporting and implementation requirements as outlined
in CALEA. Further, Barr isn't exactly on the FBI's Christmas card list.
Last year it was primarily Barr who scotched the funding for CALEA
during the 104th Congress' first session.
But Barr has won again. He has, with backing from the Senate, succeeded
in *putting back* the requirement that the FBI must justify all CALEA
expenditures to the Judiciary Committee. Further, the implementation
plan, "though somewhat modified" will "still have some punch," Barr's
staffer assured me. That includes making the FBI report on its
expected capacities and capabilities for digital wiretapping. In other
words, the FBI won't be able to "cook the books" on the wiretap figures
in secret. Barr also was successful in making the Justice Department
submit an annual report detailing its CALEA spending to Congress.
However, the funding for digital wiretaps remains. Stuffing the funding
measures into a huge omnibus spending bill almost certainly assures its
passage. Congress is twitchy now, anxious to leave. They are chomping
at the bit, sensing the end of the 104th Congress' tortured run as the
legislative calender is due to run out sometime early next week. Then
they will all literally race from Capitol Hill at the final gavel,
heading for the parking lot, jumping in their cars like stock car
drivers as they make a made dash for National Airport to return to their
home districts in an effort to campaign for another term in the loopy
world of national politics.
Congress is "going to try to sneak this (spending bill) through the back
door in the middle of the night," says Leslie Hagan, legislative
director for the National Association of Criminal Defense Lawyers. She
calls this a "worst case scenario" that is "particularly dangerous"
because the "deliberative legislative process is short-ciricutied."
Such matters as wiretapping deserve to be aired in the full sunlight of
congressional hearings, not stuffed into an 11th hour spending bill.
This is legislative cowardice. Sadly, it will most likely succeed.
And through this all, the Net sits mute.
Unlike a few months ago, on the shameful day the Net cried "wolf" over
these same provisions, mindlessly flooding congressional switchboards
and any Email box within keyboard reach, despite the fact that the
funding provisions had been already been stripped from the
anti-terrorism bill, there has been no hue-and-cry about these most
recent moves.
Yes, some groups, such as the ACLU, EPIC and the Center for Democracy
and Technology have been working the congressional back channels,
buzzing around the frenzied legislators like crazed gnats.
But why haven't we heard about all this before now? Why has this bill
come down to the wire without the now expected flurry of "alerts"
"bulletins" and other assorted red-flag waving by our esteemed Net
guardians? Barr's had his ass hanging in the wind, fighting FBI
Director Louis "Teflon" Freeh; he could have used some political cover
from the cyberspace community. Yet, if he'd gone to that digital well,
he'd have found only the echo of his own voice.
And while the efforts of Rep. Barr are encouraging, it's anything from a
done deal. "As long as the door is cracked... there is room for
mischief," said Barr's staffer. Meaning, until the bill is reported
and voted on, some snapperhead congressman could fuck up the process yet
again.
We all caught a bit of a reprieve here, but I wouldn't sleep well. This
community still has a lot to learn about the Washington boneyard.
Personally, I'm a little tired of getting beat up at every turn. Muscle
up, folks, the fight doesn't get any easier.
Meeks out...
Declan McCullagh <declan@well.com> contributed to this report.
[=-------------------------------------------------------------------------=]
title: Panix Attack
author: Joshua Quittner
source: Time Magazine - September 30, 1996 Volume 148, No. 16
It was Friday night, and Alexis Rosen was about to leave work when one
of his computers sent him a piece of E-mail. If this had been the
movies, the message would have been presaged by something
dramatic--the woo-ga sound of a submarine diving into combat, say. But
of course it wasn't. This was a line of dry text automatically
generated by one of the machines that guard his network. It said
simply, "The mail servers are down." The alert told Rosen that his
6,000 clients were now unable to receive E-mail.
Rosen, 30, is a cool customer, not the type to go into cardiac arrest
when his mail server crashes. He is the co-founder of Panix, the
oldest and best-known Internet service provider in Manhattan. Years
before the Net became a cereal-box buzz word, Rosen would let people
connect to Panix free, or for only a few dollars a month, just
because--well, because that was the culture of the time. Rosen has
handled plenty of mail outages, so on this occasion he simply rolled
up his sleeves and set to work, fingers clacking out a flamenco on the
keyboard, looking for the cause of the glitch. What he uncovered sent
a chill down his spine--and has rippled across the Net ever since,
like a rumor of doom. Someone, or something, was sending at the rate
of 210 a second the one kind of message his computer was obliged to
answer. As long as the siege continued--and it went on for
weeks--Rosen had to work day and night to keep from being overwhelmed
by a cascade of incoming garbage.
It was the dread "syn flood," a relatively simple but utterly
effective means for shutting down an Internet service provider--or,
for that matter, anyone else on the Net. After Panix went public with
its story two weeks ago, dozens of online services and companies
acknowledged being hit by similar "denial of service" attacks. As of
late last week, seven companies were still under furious assault.
None of the victims have anything in common, leading investigators to
suspect that the attacks may stem from the same source: a pair of
how-to articles that appeared two months ago in 2600 and Phrack, two
journals that cater to neophyte hackers. Phrack's article was written
by a 23-year-old editor known as daemon9. He also crafted the code for
an easy-to-run, menu-driven, syn-flood program, suitable for use by
any "kewl dewd" with access to the Internet. "Someone had to do it,"
wrote daemon9.
[* WooWoo! Go Route! *]
That gets to the core of what may be the Net's biggest problem these
days: too many powerful software tools in the hands of people who
aren't smart enough to build their own--or to use them wisely. Real
hackers may be clever and prankish, but their first rule is to do no
serious harm. Whoever is clobbering independent operators like Panix
has as much to do with hacking as celebrity stalkers have to do with
cinematography. Another of the victims was the Voters
Telecommunications Watch, a nonprofit group that promotes free speech
online. "Going after them was like going after the little old lady who
helps people in the neighborhood and bashing her with a lead pipe,"
says Rosen.
[* Gee. Is that to say that if you can't write your own operating system
that you shouldn't have it or that it is a big problem? If so, poor
Microsoft... *]
Rosen was eventually able to repulse the attack; now he'd like to
confront his attacker. Since some of these Netwits don't seem to know
enough to wipe off their digital fingerprints, he may get his wish.
[* Wow, they did it for two weeks without getting caught. Two weeks of
24/7 abuse toward this ISP, and now he thinks he can track them down? *]
[=-------------------------------------------------------------------------=]
title: none
author: Rory J. O'Connor
source: Knight-Ridder Newspapers
WASHINGTON -- Vandals swept through the Internet last weekend, wiping
clean dozens of public bulletin boards used by groups of Jews, Muslims,
feminists and homosexuals, among others.
In one of the most widespread attacks on the international computer
network, the programs automatically erased copies of more than 27,000
messages from thousands of servers, before operators stopped the
damage.
The identity of those responsible for launching the apparent hate
attacks -- some of the programs were titled "fagcancel" and "kikecancel"
-- is unknown.
The incident further illustrates the shaky security foundation of the
Internet, which has mushroomed from academic research tool to
international communications medium in just three years.
And it raised the ire of many Internet users furious at the ease with
which a user can erase someone else's words from worldwide discussion
groups, known as Usenet newsgroups, in a matter of hours.
"There's nothing you can do as an individual user to prevent someone
from canceling your message," said John Gilmore, a computer security
expert in San Francisco. "We need something added to Usenet's software
that would only allow a cancellation from the originator."
[* Which can then be forged just like fakemail... *]
The incident follows closely three other well-publicized Internet
attacks.
In two cases, hackers altered the World Wide Web home pages of the
Justice Department and the CIA, apparently as political protests. In
the third, a hacker overloaded the computers of an Internet service
provider called Panix with hordes of phony requests for a connection,
thus denying use of the service to legitimate users.
The latest attacks -- called cancelbots -- were launched sometime over
the weekend from a variety of Internet service providers, including
UUNet Technologies in Fairfax, Va., and Netcom Inc. in San Jose,
Calif. One attack was launched from a tiny provider in Tulsa, Okla.,
called Cottage Software, according to its owner, William Brunton.
"The offending user has been terminated and the information has been
turned over to the proper (federal) authorities," Brunton said in a
telephone interview Wednesday. "It's now in their hands."
Legal experts said it's unclear if the attacks constitute a crime
under federal laws such as the Computer Fraud and Abuse Act.
"It's really a difficult issue," said David Sobel, legal counsel of
the Electronic Privacy Information Center in Washington. "Can you
assign value to a newsgroup posting? Because most of the computer
crime statutes assume you're ripping off something of value."
[* Hello? Several statutes don't assume that at all. You can be
charged with HAVING information and not using it. *]
A spokesman for the FBI in Washington said he was unaware of any
federal investigation of the incident, although it is the agency's
policy not to comment on investigations.
While some of the deleted messages have been restored on certain
servers, where operators have retrieved them from backup copies of
their disks, users of other servers where the messages haven't been
restored will never be able to read them.
The fact that a user can stamp out the words of someone else is an
artifact of the original design of the Internet, begun as a Department
of Defense project in 1969.
The Internet consists of tens of thousands of computers, called
servers, that act as repositories for public messages, private
electronic mail and World Wide Web home pages. Servers throughout the
world are interconnected through telephone lines so they can exchange
information and route messages to the individual users, or clients, of
a given server.
Each server stores a copy of the constantly changing contents of
newsgroups, which function as giant electronic bulletin boards
dedicated to particular subjects. There are thousands of them,
covering everything from particle physics to soap operas.
Any Internet user is free to post a contribution to nearly any
newsgroup, and the posting is rapidly copied from one server to
another, so the contents of a newsgroup are identical on every server.
Almost the only form of control over postings, including their
content, is voluntary adherence to informal behavior rules known as
"netiquette."
The idea of cancelbots originated when the Internet and its newsgroups
were almost exclusively the domain of university and government
scientists and researchers. Their purpose was to allow individuals to
rescind messages they later discovered to contain an error. The action
took the form of an automatic program, itself in the form of a
message, because it would be impossible for an individual to find and
delete every copy of the posting on every Internet server.
But the Usenet software running on servers doesn't verify that the
cancel message actually comes from the person who created the original
posting. All a malicious user need do is replace their actual e-mail
address with that of someone else to fool Usenet into deleting a
message. That counterfeiting is as simple as changing an option in the
browser software most people use to connect to the Internet.
"It's pretty easy. There's no authentication in the Usenet. So anybody
can pretend to be anybody else," Gilmore said.
It takes only slightly more sophistication to create a program that
searches newsgroups for certain keywords, and then issues a cancelbot
for any message that contains them. That is how the weekend attack
took place.
The use of counterfeit cancelbots is not new. The Church of
Scientology, embroiled in a legal dispute with former members, last
year launched cancelbots against the newsgroup postings of the
members. Attorneys for the church claimed the postings violated
copyright laws, because they contained the text of Scientology
teachings normally available only to longtime members who have paid
thousands of dollars.
Net users have also turned false cancelbots against those who violate
a basic rule of netiquette by "spamming" newsgroups -- that is,
posting a message to hundreds or even thousands of newsgroups, usually
commercial in nature and unrelated to the newsgroup topic.
"This technology has been used for both good and evil," Gilmore said.
But an individual launching a wholesale cancelbot attack on postings
because of content is considered a serious violation of netiquette --
although one about which there is little recourse at the moment.
"For everybody who takes the trouble and time to participate on the
Internet in some way, I think it is not acceptable for somebody else
to undo those efforts," Sobel said. "But what are the alternatives?
Not to pursue this means of communications? Unintended uses and
malicious uses seem to be inevitable."
What's needed, some say, is a fundamental change in the Internet that
forces individual users to "sign" their postings in such a way that
everyone has a unique identity that can't be forged.
[* And how about for the technically challenged who can't figure
out the point-and-drool America Online software? *]
"The fatal flaw is that newsgroups were set up at a time when
everybody knew everybody using the system, and you could weed out
anybody who did this," Brunton said. "This points out that flaw in the
system, and that there are unreasonable people out there who will
exploit it."
[=-------------------------------------------------------------------------=]
title: Mitnick Faces 25 More Federal Counts of Computer Hacking
source: nando.net - Los Angeles Daily News
LOS ANGELES (Sep 27, 1996 02:06 a.m. EDT) -- A computer hacker who
used his digital prowess to outrun FBI agents for three years has been
indicted on charges that he stole millions of dollars in software
through the Internet.
The 25-count federal indictment against Kevin Mitnick is the biggest
development in the sensational case since the self-taught computer
whiz was arrested in February 1995 in North Carolina.
The 33-year-old son of a waitress from suburban Los Angeles has been
held in custody in Los Angeles ever since.
With Thursday's indictment, federal prosecutors made good on their vow
to hold Mitnick accountable for what they say was a string of hacking
crimes that pushed him to the top of the FBI's most-wanted list.
"These are incredibly substantial charges. They involve conducts
spanning two and a half years. They involve a systematic scheme to
steal proprietary software from a range of victims," Assistant U.S.
Attorney David Schindler said in an interview.
Mitnick's longtime friend, Lewis De Payne, 36, also was indicted
Thursday on charges that he helped steal the software between June
1992 and February 1995 -- while Mitnick was on the run from the FBI.
"I would say it is an absurd fiction," said De Payne's attorney,
Richard Sherman. "I don't think the government is going to be able to
prove its case."
De Payne will surrender today to authorities in Los Angeles, Sherman
said.
Friends and relatives of Mitnick have defended his hacking, saying he
did it for the intellectual challenge and to pull pranks -- but never
for profit.
Los Angeles' top federal prosecutor sees it differently.
"Computer and Internet crime represents a major threat, with
sophisticated criminals able to wreak havoc around the world," U.S.
Attorney Nora M. Manella said in a written statement.
The indictment charges Mitnick and De Payne with having impersonated
officials from companies and using "hacking" programs to enter company
computers. Schindler said the software involved the operation of
cellular telephones and computer operating systems.
Their alleged victims include the University of Southern California,
Novell, Sun Microsystems and Motorola, Schindler said.
[=-------------------------------------------------------------------------=]
title: Hacker is freed but he's banned from computers
author: Brandon Bailey (Mercury News Staff Writer)
Convicted hacker Kevin Poulsen is out of prison after five years, but
he still can't touch a computer.
Facing a court order to pay more than $57,000 in restitution for
rigging a series of radio station call-in contests, Poulsen has
complained that authorities won't let him use his only marketable
skill -- programming.
Instead, Poulsen said, he's doomed to work for minimum wage at a
low-tech job for the next three years. Since his June release from
prison -- after serving more time behind bars than any other
U.S. hacker -- the only work he's found is canvassing door to door for
a liberal political action group.
It's a big change for the 30-year-old Poulsen, once among the most
notorious hackers on the West Coast. A former employee at SRI
International in Menlo Park, he was featured on television's
"America's Most Wanted" while living underground in Los Angeles as a
federal fugitive from 1989 to 1991.
Before authorities caught him, Poulsen burglarized telephone company
offices, electronically snooped through records of law enforcement
wiretaps and jammed radio station phone lines in a scheme to win cash,
sports cars and a trip to Hawaii.
Poulsen now lives with his sister in the Los Angeles area, where he
grew up in the 1970s and '80s. But he must remain under official
supervision for three more years. And it galls him that authorities
won't trust him with a keyboard or a mouse.
U.S. District Judge Manuel Real has forbidden Poulsen to have any
access to a computer without his probation officer's approval.
That's a crippling restriction in a society so reliant on computer
technology, Poulsen complained in a telephone interview after a
hearing last week in which the judge denied Poulsen's request to
modify his terms of probation.
To comply with those rules, Poulsen said, his parents had to put their
home computer in storage when he stayed with them. He can't use an
electronic card catalog at the public library. And he relies on
friends to maintain his World Wide Web site. He even asked his
probation officer whether it was OK to drive because most cars contain
microchips.
Living under government supervision apparently hasn't dampened the
acerbic wit Poulsen displayed over the years.
Prankster humor
When authorities were tracking him, they found he'd kept photographs
of himself, taken while burglarizing phone company offices, and that
he'd created bogus identities in the names of favorite comic book
characters.
Today, you can click on Poulsen's web page (http://www.catalog.com/kevin)
and read his account of his troubles with the law. Until it was
revised Friday, you could click on the highlighted words "my probation
officer" -- and see the scary red face of Satan.
But though he's still chafing at authority, Poulsen insists he's ready
to be a law-abiding citizen.
"The important thing to me," he said, "is just not wasting the next
three years of my life." He said he's submitted nearly 70 job
applications but has found work only with the political group, which
he declined to identify.
Poulsen, who earned his high school diploma behind bars, said he wants
to get a college degree. But authorities vetoed his plans to study
computer science while working part-time because they want him to put
first priority on earning money for restitution.
Poulsen's federal probation officer, Marc Stein, said office policy
prevents him from commenting on the case. Poulsen's court-appointed
attorney, Michael Brennan, also declined comment.
Differing view
But Assistant U.S. Attorney David Schindler partly disputed Poulsen's
account.
"Nobody wants to see Mr. Poulsen fail," said Schindler, who has
prosecuted both Poulsen and Kevin Mitnick, another young man from the
San Fernando Valley whose interest in computers and telephones became
a passion that led to federal charges.
Schindler said Stein is simply being prudent: "It would be irresponsible
for the probation office to permit him to have unfettered access to
computers."
Legal experts say there's precedent for restricting a hacker's access
to computers, just as paroled felons may be ordered not to possess
burglary tools or firearms. Still, some say it's going too far.
"There are so many benign things one can do with a computer," said
Charles Marson, a former attorney for the American Civil Liberties
Union who handles high-tech cases in private practice. "If it were a
typewriter and he pulled some scam with it or wrote a threatening
note, would you condition his probation on not using a typewriter?"
But Carey Heckman, co-director of the Law and Technology Policy Center
at Stanford University, suggested another analogy: "Would you want to
put an arsonist to work in a match factory?"
Friends defend Poulsen.
Over the years, Poulsen's friends and defense lawyers have argued that
prosecutors exaggerated the threat he posed, either because law
officers didn't understand the technology he was using or because his
actions seemed to flaunt authority.
Hacking is "sort of a youthful rebellion thing," Poulsen says
now. "I'm far too old to get back into that stuff."
But others who've followed Poulsen's career note that he had earlier
chances to reform.
He was first busted for hacking into university and government
computers as a teen-ager. While an older accomplice went to jail,
Poulsen was offered a job working with computers at SRI, the private
think tank that does consulting for the Defense Department and other
clients.
There, Poulsen embarked on a double life: A legitimate programmer by
day, he began breaking into Pacific Bell offices and hacking into
phone company computers at night.
When he learned FBI agents were on his trail, he used his skills to
track their moves.
Before going underground in 1989, he also obtained records of secret
wiretaps from unrelated investigations. Though Poulsen said he never
tipped off the targets, authorities said they had to take steps to
ensure those cases weren't compromised.
According to Schindler, the probation office will consider Poulsen's
requests to use computers "on a case-by-case basis."
[=-------------------------------------------------------------------------=]
[* Blurb on Bernie's release follows this article. *]
title: Computer Hacker Severely Beaten after Criticizing Prison Conditions
Target of Campaign by U.S. Secret Service
A convicted hacker, in prison for nothing more than possession of
electronic parts easily obtainable at any Radio Shack, has been
savagely beaten after being transferred to a maximum security prison
as punishment for speaking out publicly about prison conditions.
Ed Cummings, recently published in Wired and Internet Underground, as
well as a correspondent for WBAI-FM in New York and 2600 Magazine,
has been the focus of an increasingly ugly campaign of harrassment
and terror from the authorities. At the time of this writing, Cummings
is locked in the infectious diseases ward at Lehigh County prison in
Allentown, Pennsylvania, unable to obtain the proper medical treatment
for the severe injuries he has suffered.
The Ed Cummings case has been widely publicized in the computer hacker
community over the past 18 months. In March of 1995, in what can only
be described as a bizarre application of justice, Cummings (whose pen
name is "Bernie S.") was targetted and imprisoned by the United States
Secret Service for mere possession of technology that could be used to
make free phone calls. Although the prosecution agreed there was no
unauthorized access, no victims, no fraud, and no costs associated with
the case, Cummings was imprisoned under a little known attachment to the
Digital Telephony bill allowing individuals to be charged in this fashion.
Cummings was portrayed by the Secret Service as a potential terrorist
because of some of the books found in his library.
A year and a half later, Cummings is still in prison, despite the
fact that he became eligible for parole three months ago. But things have
now taken a sudden violent turn for the worse. As apparent retribution for
Cummings' continued outspokenness against the daily harrassment and
numerous injustices that he has faced, he was transferred on Friday
to Lehigh County Prison, a dangerous maximum security facility. Being
placed in this facility was in direct opposition to his sentencing
order. The reason given by the prison: "protective custody".
A day later, Cummings was nearly killed by a dangerous inmate for not
getting off the phone fast enough. By the time the prison guards stopped
the attack, Cummings had been kicked in the face so many times that he
lost his front teeth and had his jaw shattered. His arm, which he tried
to use to shield his face, was also severely injured. It is expected that
his mouth will be wired shut for up to three months. Effectively,
Cummings has now been silenced at last.
>From the start of this ordeal, Cummings has always maintained his
composure and confidence that one day the injustice of his
imprisonment will be realized. He was a weekly contributor to a
radio talk show in New York where he not only updated listeners on
his experiences, but answered their questions about technology.
People from as far away as Bosnia and China wrote to him, having
heard about his story over the Internet.
Now we are left to piece these events together and to find those
responsible for what are now criminal actions against him. We are
demanding answers to these questions: Why was Cummings transferred
for no apparent reason from a minimum security facility to a very
dangerous prison? Why has he been removed from the hospital immediately
after surgery and placed in the infectious diseases ward of the very
same prison, receiving barely any desperately needed medical
attention? Why was virtually every moment of Cummings' prison stay a
continuous episode of harrassment, where he was severely punished for
such crimes as receiving a fax (without his knowledge) or having too
much reading material? Why did the Secret Service do everything in
their power to ruin Ed Cummings' life?
Had these events occurred elsewhere in the world, we would be quick
to condemn them as barbaric and obscene. The fact that such things are
taking place in our own back yards should not blind us to the fact that
they are just as unacceptable.
Lehigh County Prison will be the site of several protest actions as will
the Philadelphia office of the United States Secret Service. For more
information on this, email protest@2600.com or call our office at
(516) 751-2600.
9/4/96
[=-------------------------------------------------------------------------=]
title: Bernie S. Released!
As of Friday, September 13th, Bernie S. was released from prison on
an unprecedented furlough. He will have to report to probation and
he still has major medical problems as a result of his extended tour
of the Pennsylvania prison system. But the important thing is that
he is out and that this horrible ordeal has finally begun to end.
We thank all of you who took an interest in this case. We believe
it was your support and the pressure you put on the authorities that
finally made things change. Thanks again and never forget the power
you have.
emmanuel@2600.com
www.2600.com
[=-------------------------------------------------------------------------=]
title: <The Squidge Busted>
ENGLAND:
The Squidge was arrested at his home yesterday under the Computer Misuse
Act. A long standing member of the US group the *Guild, Squidge was silent
today after being released but it appears no formal charges will be made
until further interviews have taken place.
Included in the arrest were the confiscation of his computer equipment
including two Linux boxes and a Sun Sparc. A number of items described as
'telecommunications devices' were also seized as evidence.
Following the rumours of ColdFire's recent re-arrest for cellular fraud
this could mean a new crackdown on hacking and phreaking by the UK
authorities. If this is true, it could spell the end for a particularly
open period in h/p history when notable figures have been willing to
appear more in public.
We will attempt to release more information as it becomes available.
(not posted by Squidge)
--
Brought to you by The NeXus.....
[* Good luck goes out to Squidge.. we are hoping for the best. *]
[=-------------------------------------------------------------------------=]
title: School Hires Student to Hack Into Computers
source: The Sun Herald - 22 August 1996
Palisades Park, NJ - When in trouble, call an expert.
Students at Palisades Park's high school needed their
transcripts to send off to colleges. But they were in the computer
and no one who knew the password could be reached. So the school
hired a 16-year-old hacker to break in.
"They found this student who apparently was a whiz, and,
apparently, was able to go in and unlock the password," School Board
attorney Joseph R. Mariniello said.
Superintendent George Fasciano was forced to explain to the
School Board on Monday the $875 bill for the services of Matthew
Fielder.
[* He should have charged more :) *]
[=-------------------------------------------------------------------------=]
title: Paranoia and Brit Hackers Fuel Infowar Craze in Spy Agencies
author: unknown
source: Crypt Newsletter 38
Electronic doom will soon be visited on U.S. computer networks by
information warriors, hackers, pannational groups of computer-wielding
religious extremists, possible agents of Libya and Iran, international
thugs and money-mad Internet savvy thieves.
John Deutch, director of Central Intelligence, testified to the
truth of the matter, so it must be graven in stone. In a long statement
composed in the august tone of the Cold Warrior, Deutch said to the
Senate Permanent Subcommittee on Investigations on June 25, "My greatest
concern is that hackers, terrorist organizations, or other nations might
use information warfare techniques" to disrupt the national
infrastructure.
"Virtually any 'bad actor' can acquire the hardware and software
needed to attack some of our critical information-based infrastructures.
Hacker tools are readily available on the Internet, and hackers
themselves are a source of expertise for any nation or foreign
terrorist organization that is interested in developing an information
warfare capability. In fact, hackers, with or without their full
knowledge, may be supplying advice and expertise to rogue states such
as Iran and Libya."
In one sentence, the head of the CIA cast hackers -- from those more
expert than Kevin Mitnick to AOLHell-wielding idiots calling an America
On-Line overseas account -- as pawns of perennial international bogeymen,
Libya and Iran.
Scrutiny of the evidence that led to this conclusion was not possible
since it was classified, according to Deutch.
" . . . we have [classified] evidence that a number of countries
around the world are developing the doctrine, strategies, and tools
to conduct information attacks," said Deutch.
Catching glimpses of shadowy enemies at every turn, Deutch
characterized them as operating from the deep cover of classified
programs in pariah states. Truck bombs aimed at the telephone
company, electronic assaults by "paid hackers" are likely to
be part of the arsenal of anyone from the Lebanese Hezbollah
to "nameless . . . cells of international terrorists such as those
who attacked the World Trade Center."
Quite interestingly, a Minority Staff Report entitled "Security and
Cyberspace" and presented to the subcommittee around the same time as
Deutch's statement, presented a different picture. In its attempt to
raise the alarm over hacker assaults on the U.S., it inadvertently
portrayed the intelligence community responsible for appraising the
threat as hidebound stumblebums, Cold Warriors resistant to change and
ignorant or indifferent to the technology of computer networks and their
misuse.
Written by Congressional staff investigators Dan Gelber and Jim Christy,
the report quotes an unnamed member of the intelligence community likening
threat assessment in the area to "a toddler soccer game, where everyone
just runs around trying to kick the ball somewhere." Further, assessment
of the threat posed by information warriors was "not presently a priority
of our nation's intelligence and enforcement communities."
The report becomes more comical with briefings from intelligence
agencies said to be claiming that the threat of hackers and information
warfare is "substantial" but completely unable to provide a concrete
assessment of the threat because few or no personnel were working on
the subject under investigation. "One agency assembled [ten] individuals
for the Staff briefing, but ultimately admitted that only one person was
actually working 'full time' on intelligence collection and threat
analysis," write Gelber and Christy.
The CIA is one example.
"Central Intelligence Agency . . . staffs an 'Information Warfare
Center'; however, at the time of [the] briefing, barely a handful
of persons were dedicated to collection and on [sic] defensive
information warfare," comment the authors.
" . . . at no time was any agency able to present a national threat
assessment of the risk posed to our information infrastructure," they
continue. Briefings on the subject, if any and at any level of
classification, "consisted of extremely limited anecdotal information."
Oh no, John, say it ain't so!
The minority report continues to paint a picture of intelligence agencies
that have glommed onto the magic words "information warfare" and
"hackers" as mystical totems, grafting the subjects onto "pre-existing"
offices or new "working groups." However, the operations are based only
on labels. "Very little prioritization" has been done, there are
few analysts working on the subjects in question.
Another "very senior intelligence officer for science and technology"
is quoted claiming "it will probably take the intelligence community
years to break the traditional paradigms, and re-focus resources"
in the area.
Restated, intelligence director Deutch pronounced in June there was
classified evidence that hackers are in league with Libya and Iran and
that countries around the world are plotting plots to attack the U.S.
through information warfare. But the classified data is and was, at best,
anecdotal gossip -- hearsay, bullshit -- assembled by perhaps a handful of
individuals working haphazardly inside the labyrinth of the intelligence
community. There is no real threat assessment to back up the Deutch
claims. Can anyone say _bomber gap_?
The lack of solid evidence for any of the claims made by the intelligence
community has created an unusual stage on which two British hackers,
Datastream Cowboy and Kuji, were made the dog and pony in a ridiculous
show to demonstrate the threat of information warfare to members of
Congress. Because of a break-in at an Air Force facility in Rome, NY,
in 1994, booth hackers were made the stars of two Government Accounting
Office reports on network intrusions in the Department of Defense earlier
this year. The comings and goings of Datastream Cowboy also constitute the
meat of Gelber and Christy's minority staff report from the Subcommittee on
Investigations.
Before delving into it in detail, it's interesting to read what a
British newspaper published about Datastream Cowboy, a sixteen year-old,
about a year before he was made the poster boy for information
warfare and international hacking conspiracies in front of Congress.
In a brief article, blessedly so in contrast to the reams of propaganda
published on the incident for Congress, the July 5 1995 edition of The
Independent wrote, "[Datastream Cowboy] appeared before Bow Street
magistrates yesterday charged with unlawfully gaining access to a series
of American defense computers. Richard Pryce, who was 16 at the time of
the alleged offences, is accused of accessing key US Air Force systems
and a network owned by Lockheed, the missile and aircraft manufacturers."
Pryce, a resident of a northwest suburb of London did not enter a plea
on any of 12 charges levied against him under the British
Computer Misuse Act. He was arrested on May 12, 1994, by New Scotland
Yard as a result of work by the U.S. Air Force Office of Special
Investigations. The Times of London reported when police came for
Pryce, they found him at his PC on the third floor of his family's house.
Knowing he was about to be arrested, he "curled up on the floor and cried."
In Gelber and Christy's staff report, the tracking of Pryce, and to a
lesser extent a collaborator called Kuji -- real name Mathew Bevan, is
retold as an eight page appendix entitled "The Case Study: Rome
Laboratory, Griffiss Air Force Base, NY Intrusion."
Pryce's entry into Air Force computers was noticed on March 28, 1994,
when personnel discovered a sniffer program he had installed on one
of the Air Force systems in Rome. The Defense Information System
Agency (DISA) was notified. DISA subsequently called the Air
Force Office of Special Investigations (AFOSI) at the Air Force
Information Warfare Center in San Antonio, Texas. AFOSI then
sent a team to Rome to appraise the break-in, secure the system and
trace those responsible. During the process, the AFOSI team discovered
Datastream Cowboy had entered the Rome Air Force computers for the
first time on March 25, according to the report. Passwords had been
compromised, electronic mail read and deleted and unclassified
"battlefield simulation" data copied off the facility. The
Rome network was also used as a staging area for penetration of other
systems on the Internet.
AFOSI investigators initially traced the break-in back one step to
the New York City provider, Mindvox. According to the Congressional
report, this put the NYC provider under suspicion because "newspaper
articles" said Mindvox's computer security was furnished by two "former
Legion of Doom members." "The Legion of Doom is a loose-knit computer
hacker group which had several members convicted for intrusions into
corporate telephone switches in 1990 and 1991," wrote Gelber and Christy.
AFOSI then got permission to begin monitoring -- the equivalent of
wiretapping -- all communications on the Air Force network. Limited
observation of other Internet providers being used during the break-in
was conducted from the Rome facilities. Monitoring told the investigators
the handles of hackers involved in the Rome break-in were Datastream
Cowboy and Kuji.
Since the monitoring was of limited value in determining the whereabouts
of Datastream Cowboy and Kuji, AFOSI resorted to "their human intelligence
network of informants, i.e., stool pigeons, that 'surf the Internet.'
Gossip from one AFOSI 'Net stoolie uncovered that Datastream Cowboy was from
Britain. The anonymous source said he had e-mail correspondence with
Datastream Cowboy in which the hacker said he was a 16-year old living in
England who enjoyed penetrating ".MIL" systems. Datastream Cowboy also
apparently ran a bulletin board system and gave the telephone number to the
AFOSI source.
The Air Force team contacted New Scotland Yard and the British law
enforcement agency identified the residence, the home of Richard
Pryce, which corresponded to Datastream Cowboy's system phone number.
English authorities began observing Pryce's phone calls and noticed
he was making fraudulent use of British Telecom. In addition,
whenever intrusions at the Air Force network in Rome occurred, Pryce's
number was seen to be making illegal calls out of Britain.
Pryce travelled everywhere on the Internet, going through South America,
multiple countries in Europe and Mexico, occasionally entering the Rome
network. From Air Force computers, he would enter systems at Jet
Propulsion Laboratory in Pasadena, California, and the Goddard Space
Flight Center in Greenbelt, Maryland. Since Pryce was capturing the logins
and passwords of the Air Force networks in Rome, he was then able to
get into the home systems of Rome network users, defense contractors
like Lockheed.
By mid-April of 1994 the Air Force was monitoring other systems being
used by the British hackers. On the 14th of the month, Kuji logged on
to the Goddard Space Center from a system in Latvia and copied data
from it to the Baltic country. According to Gelber's report, the
AFOSI investigators assumed the worst, that it was a sign that someone
in an eastern European country was making a grab for sensitive
information. They broke the connection but not before Kuji had
copied files off the Goddard system. As it turned out, the Latvian
computer was just another system the British hackers were using as
a stepping stone; Pryce had also used it to cover his tracks when
penetrating networks at Wright-Patterson Air Force Base in Ohio, via
an intermediate system in Seattle, cyberspace.com.
The next day, Kuji was again observed trying to probe various
systems at NATO in Brussels and The Hague as well as Wright-Patterson.
On the 19th, Pryce successfully returned to NATO systems in The
Hague through Mindvox. The point Gelber and Christy seem to be trying
to make is that Kuji, a 21-year old, was coaching Pryce during some
of his attacks on various systems.
By this point, New Scotland Yard had a search warrant for Pryce
with the plan being to swoop down on him the next time he accessed
the Air Force network in Rome.
In April, Pryce penetrated a system on the Korean peninsula and copied
material off a facility called the Korean Atomic Research Institute
to an Air Force computer in Rome. At the time, the investigators had
no idea whether the system was in North or South Korea. The impression
created is one of hysteria and confusion at Rome. There was fear that the
system, if in North Korea, would trigger an international incident, with
the hack interpreted as an "aggressive act of war." The system turned
out to be in South Korea.
During the Korean break-in, New Scotland Yard could have intervened and
arrested Pryce. However, for unknown reasons, the agency did not. Those
with good memories may recall mainstream news reports concerning Pryce's
hack, which was cast as an entry into sensitive North Korean networks.
It's worth noting that while the story was portrayed as the work of
an anonymous hacker, both the U.S. government and New Scotland Yard knew
who the perpetrator was. Further, according to Gelber's report English
authorities already had a search warrant for Pryce's house.
Finally, on May 12 British authorities pounced. Pryce was arrested
and his residence searched. He crumbled, according to the Times of
London, and began to cry. Gelber and Christy write that Pryce promptly
admitted to the Air Force break-ins as well as others. Pryce
confessed he had copied a large program that used artificial intelligence
to construct theoretical Air Orders of Battle from an Air Force computer
to Mindvox and left it there because of its great size, 3-4 megabytes.
Pryce paid for his Internet service with a fraudulent credit card number.
At the time, the investigators were unable to find out the name and
whereabouts of Kuji. A lead to an Australian underground bulletin board
system failed to pan out.
On June 23 of this year, Reuters reported that Kuji -- 21-year-old Mathew
Bevan -- a computer technician, had been arrested and charged in
connection with the 1994 Air Force break-ins in Rome.
Rocker Tom Petty sang that even the losers get lucky some time. He
wasn't thinking of British computer hackers but no better words could be
used to describe the two Englishmen and a two year old chain of events that
led to fame as international computer terrorists in front of Congress
at the beginning of the summer of 1996.
Lacking much evidence for the case of conspiratorial computer-waged
campaigns of terror and chaos against the U.S., the makers of Congressional
reports resorted to telling the same story over and over, three
times in the space of the hearings on the subject. One envisions U.S.
Congressmen too stupid or apathetic to complain, "Hey, didn't we get that
yesterday, and the day before?" Pryce and Bevan appeared in "Security in
Cyberspace" and twice in Government Accounting Office reports AIMD-96-84
and T-AIMD96-92. Jim Christy, the co-author of "Security in Cyberspace"
and the Air Force Office of Special Investigations' source for the Pryce
case supplied the same tale for Jack Brock, author of the GAO reports.
Brock writes, ". . . Air Force officials told us that at least one of
the hackers may have been working for a foreign country interested in
obtaining military research data or areas in which the Air Force was
conducting advanced research." It was, apparently, more wishful
thinking.
Notes:
The FAS Web site also features an easy to use search engine which can
be used to pull up the Congressional testimony on hackers and
network intrusion. These example key words are effective: "Jim
Christy," "Datastream Cowboy".
[=-------------------------------------------------------------------------=]
title: Hackers Find Cheap Scotland Yard Phone Connection
source: Reuters/Variety
Monday August 5 12:01 AM EDT
LONDON (Reuter) - Computer hackers broke into a security system at
Scotland Yard, London's metropolitan police headquarters, to make
international calls at police expense, police said Sunday.
A police spokesman would not confirm a report in the Times newspaper
that the calls totaled one million pounds ($1.5 million). He said
the main computer network remained secure.
"There is no question of any police information being accessed," the
spokesman said. "This was an incident which was investigated by our
fraud squad and by AT&T investigators in the U.S."
AT&T Corp investigators were involved because most of the calls were
to the United States, the Times said.
According to The Times, the hackers made use of a system called PBX
call forwarding that lets employees to make business calls from home
at their employer's expense.
[=-------------------------------------------------------------------------=]
title: U.S. Official Warns OF "Electronic Pearl Harbor"
source: BNA Daily Report - 17 Jul 96
Deputy U.S. Attorney General Jamie Gorelick told a Senate
subcommittee last week that the possibility of "an electronic Pearl
Harbor" is a very real danger for the U.S. She noted in her
testimony that the U.S. information infrastructure is a hybrid
public/private network, and warned that electronic attacks "can
disable or disrupt the provision of services just as readily as --
if not more than -- a well-placed bomb." On July 15 the Clinton
Administration called for a President's Commission on Critical
Infrastructure Protection, with the mandate to identify the nature
of threats to U.S. infrastructure, both electronic and physical, and
to work with the private sector in devising a strategy for
protecting this infrastructure. At an earlier hearing, subcommittee
members were told that about 250,000 intrusions into Defense
Department computer systems are attempted each year, with about a
65% success rate.
[=-------------------------------------------------------------------------=]
title: Suit Challenges State's Restraint of the Internet Via AP
author: Jared Sandberg
source: The Wall Street Journal
Can the state of Georgia hold sway over the global Internet?
A federal lawsuit filed against the state Tuesday by the American
Civil Liberties Union should eventually answer that question. The
suit, filed in federal district court in Georgia, challenges a new
Georgia law that makes it illegal in some instances to communicate
anonymously on the Internet and to use trademarks and logos without
permission.
The ACLU, joined by 13 plaintiffs including an array of public-
interest groups, contends that the Georgia law is "unconstitutionally
vague" and that its restraints on using corporate logos and trade
names are "impermissibly chilling constitutionally protected
expression." The plaintiffs also argue that the Georgia law, which
imposes a penalty of up to 12 months in jail and $1,000 in fines,
illegally tries to impose state restrictions on interstate commerce, a
right reserved for Congress.
The legal challenge is one of the first major assaults on state laws
that seek to rein in the Internet, despite its global reach and
audience. Since the beginning of 1995, 11 state legislatures have
passed Internet statutes and nine others have considered taking
action.
Connecticut passed a law last year that makes it a crime to send an
electronic-mail message "with intent to harass, annoy or alarm another
person" -- despite the Internet's hallowed tradition of "flaming"
users with messages designed to do just that. Virginia enacted a bill
this year making it illegal for a state employee -- including
professors who supposedly have academic freedom on state campuses --
to use state-owned computers to get access to sexually explicit
material. New York state has tried to resurrect prohibitions on
"indecent material" that were struck down as unconstitutional by a
federal appeals panel ruling on the federal Communications Decency Act
three months ago.
Most Internet laws target child pornographers and stalkers. Opponents
argue the well-intended efforts could nonetheless chill free speech
and the development of electronic commerce. They maintain that the
Internet, which reaches into more than 150 countries, shouldn't be
governed by state laws that could result in hundreds of different, and
often conflicting, regulations.
"We've got to nip this in the bud and have a court declare that states
can't regulate the Internet because it would damage interstate
commerce," says Ann Beeson, staff attorney for the ACLU. "Even though
it's a Georgia statute, it unconstitutionally restricts the ability of
anybody on the Internet to use a pseudonym or to link to a Web page
that contains a trade name or logo. It is unconstitutional on its
face."
Esther Dyson, president of high-tech publisher EDventure Holdings
Inc. and chairwoman of the Electronic Frontier Foundation, a high-tech
civil liberties organization that is a co-plaintiff in the lawsuit,
calls the Georgia law "brain-damaged and unenforceable" and adds: "How
are they going to stop people from using fake names? Anonymity
shouldn't be a crime. Committing crimes should be a crime."
But Don Parsons, the Republican state representative who sponsored the
Georgia bill, countered that the law is a necessary weapon to combat
fraud, forgery and other on-line misdeeds. The groups that oppose it,
he says, "want to present (the Internet) as something magical, as
something above and beyond political boundaries." It is none of these
things, he adds.
Nor does the Georgia law seek to ban all anonymity, Mr. Parsons says;
instead, it targets people who "fraudulently misrepresent their (Web)
site as that of another organization." Misrepresenting on-line medical
information, for example, could cause serious harm to an unsuspecting
user, he says.
But Mr. Parsons's critics, including a rival state lawmaker,
Rep. Mitchell Kaye, say political reprisal lies behind the new
law. They say Mr. Parsons and his political allies were upset by the
Web site run by Mr. Kaye, which displayed the state seal on its
opening page and provided voting records and sometimes harsh political
commentary. Mr. Kaye asserts that his Web site prompted the new law's
attack on logos and trademarks that are used without explicit
permission.
"We've chosen to regulate free speech in the same manner that
communist China, North Korea, Cuba and Singapore have," Mr. Kaye
says. "Legislators' lack of understanding has turned to fear. It has
given Georgia a black eye and sent a message to the world -- that we
don't understand and are inhospitable to technology."
Mr. Parsons denies that the political Web site was the primary reason
for his sponsorship of the new statute.
The very local dispute underscores the difficulty of trying to
legislate behavior on the Internet. "It creates chaos because I don't
know what rules are going to apply to me," says Lewis Clayton, a
partner at New York law firm Paul, Weiss, Rifkind, Wharton &
Garrison. "Whose laws are going to govern commercial transactions? You
don't want to have every different state with the ability to regulate
what is national or international commerce."
In the case of the Georgia statute, while its backers say it isn't a
blanket ban of anonymity, opponents fear differing interpretations of
the law could lead to the prosecution of AIDS patients and childabuse
survivors who use anonymity to ensure privacy when they convene on the
Internet.
"Being able to access these resources anonymously really is crucial,"
says Jeffery Graham, executive director of the AIDS Survival Project,
an Atlanta service that joined the ACLU in the lawsuit. His group's
members "live in small communities," he says, and if their identities
were known, "they would definitely suffer from stigmas and reprisals."
[=-------------------------------------------------------------------------=]
title: U.S. Government Plans Computer Emergency Response Team
source: Chronicle of Higher Education - 5 Jul 96
The federal government is planning a centralized emergency response team to
respond to attacks on the U.S. information infrastructure. The Computer
Emergency Response Team at Carnegie Mellon University, which is financed
through the Defense Department, will play a major role in developing the new
interagency group, which will handle security concerns related to the
Internet, the telephone system, electronic banking systems, and the
computerized systems that operate the country's oil pipelines and electrical
power grids.
[=-------------------------------------------------------------------------=]
title: Hackers $50K challenge to break Net security system
source: Online Business Today
World Star Holdings in Winnipeg, Canada is looking for
trouble. If they find it, they're willing to pay $50,000 to the
first person who can break their security system. The
company has issued an open invitation to take the "World
Star Cybertest '96: The Ultimate Internet Security Challenge,"
in order to demonstrate the Company's Internet security
system.
Personal email challenges have been sent to high profile
names such as Bill Gates, Ken Rowe at the National Center
for Super Computing, Dr. Paul Penfield, Department of
Computer Science at the M.I.T. School of Engineering and
researchers Drew Dean and Dean Wallach of Princeton
University.
[* Challenging Bill Gates to hack a security system is like
challenging Voyager to a knitting contest. *]
OBT's paid subscription newsletter Online Business
Consultant has recently quoted the Princeton team in several
Java security reports including "Deadly Black Widow On The
Web: Her Name is JAVA," "Java Black Widows---Sun
Declares War," Be Afraid. Be Very Afraid" and "The
Business Assassin." To read these reports go to Home Page
Press http://www.hpp.com and scroll down the front page.
Brian Greenberg, President of World Star said, "I personally
signed, sealed and emailed the invitations and am very
anxious to see some of the individuals respond to the
challenge. I am confident that our system is, at this time, the
most secure in cyberspace."
World Star Holdings, Ltd., is a provider of interactive
"transactable" Internet services and Internet security
technology which Greenberg claims has been proven
impenetrable. The Company launched its online contest
offering more than $50,000 in cash and prizes to the first
person able to break its security system.
According to the test's scenario hackers are enticed into a
virtual bank interior in search of a vault. The challenge is to
unlock it and find a list of prizes with inventory numbers and
a hidden "cyberkey" number. OBT staff used Home Page
Press's Go.Fetch (beta) personal agent software to retrieve the
World Star site and was returned only five pages.
If you're successful, call World Star at 204-943-2256. Get to
it hackers. Bust into World Star at http://205.200.247.10 to
get the cash!
[=-------------------------------------------------------------------------=]
title: Criminal cult begins PGP crack attempt
from: grady@netcom.com (Grady Ward)
The Special Master has informed me that Madame Kobrin has asked
her to retain a PC expert to attempt to "crack" a series of
pgp-encrypted multi-megabyte files that were seized along with
more than a compressed gigabyte of other material from my safety
deposit box.
Ironically, they phoned to ask for assistance in supplying them
with a prototype "crack" program that they could use in iterating
and permuting possibilities. I did supply them a good core
pgpcrack source that can search several tens of thousands of
possible key phrases a seconds; I also suggested that they should
at least be using a P6-200 workstation or better to make the
search more efficient.
The undercurrent is that this fresh hysterical attempt to "get"
something on me coupled with the daily settlement pleas reflects
the hopelessness of the litigation position of the criminal cult.
It looks like the criminal cult has cast the die to ensure that
the RTC vs Ward case is fought out to the bitter end. Which I
modestly predict will be a devastating, humiliating defeat for
them from a pauper pro per.
I have given them a final settlement offer that they can leave or
take. Actually they have a window of opportunity now to drop the
suit since my counterclaims have been dismissed (although Judge
Whyte invited me to re-file a new counterclaim motion on more
legally sufficiant basis).
I think Keith and I have found a successful counter-strategy to
the cult's system of litigation harassment.
Meanwhile, I could use some help from veteran a.r.s'ers. I need
any copy you have of the Cease and Desist letter that you may
have received last year from Eliot Abelson quondam criminal cult
attorney and Eugene Martin Ingram spokespiece.
Physical mail:
Grady Ward
3449 Martha Ct.
Arcata, CA 95521-4884
JP's BMPs or fax-images to:
grady@northcoast.com
Thanks.
Grady Ward
Ps. I really do need all of your help and good wishes after all.
Thanks for all of you keeping the net a safe place to insult
kook kults.
[=-------------------------------------------------------------------------=]
title: Hackers Bombard Internet
author: Dinah Zeiger
source: Denver Post
9/21/96
Computer hackers have figured out a new way to tie the Internet
in knots - flooding network computers with messages so other users can't
access them.
Late Thursday, the federally funded Computer Emergency Response
Team at Carnegie-Mellon University in Pittsburgh issued an advisory to
Internet service providers, universities and governments detailing the
nature of the attacks, which have spread to about 15 Internet services
over the past six weeks. Three were reported this week.
Thus far, none of the Colorado-based Internet providers contacted
has been victimized, but all are on alert and preparing defenses.
The worst of it is that there is no rock-solid defense, because
the attacks are launched using the same rules - or protocols- that allow
Internet computers to establish a connection.
The best the Computer Emergency Response Team can do so far is to
suggest modifications that can reduce the likelihood that a site will be
targeted.
In essence, hackers bombard their victim sites with hundreds of
messages from randomly generated, fictitious addresses. The targeted
computers overload when they try to establish a connection with the false
sites. It doesn't damage the network, it just paralyzes it.
The Computer Emergency Response Team traces the attacks to two
underground magazines, 2600 and Phrack, which recently published the code
required to mount the assaults.
[* Uh, wait.. above it said messages.. which sounds more like usenet,
not SYN Floods.. *]
"It's just mischief," said Ted Pinkowitz, president of Denver
based e-central. "They're just doing it to prove that it can be done."
One local Internet service provider, who declined to be identified
because he fears being targeted, said it goes beyond pranks.
"It's malicious," he said. "They're attacking the protocols that
are the most basic glue of the Internet and it will take some subtle work
to fix it. You can't just redesign the thing, because it's basic to the
operation of the entire network."
The response team says tracking the source of an attack is
difficult, but not impossible.
"We have received reports of attack origins being identified,"
the advisory says.
[=-------------------------------------------------------------------------=]
title: Crypto Mission Creep
author: Brock N. Meeks
The Justice Department has, for the first time, publicly acknowledged
using the code-breaking technologies of the National Security Agency, to
help with domestic cases, a situation that strains legal boundaries of
the agency.
Deputy Attorney General Jamie Gorelick admitted in July, during an open
hearing of the Senate's Governmental Affairs permanent subcommittee on
investigations, that the Justice Department: "Where, for example, we
are having trouble decrypting information in a computer, and the
expertise lies at the NSA, we have asked for technical assistance under
our control."
That revelation should have been a bombshell. But like an Olympic
diver, the revelation made hardly a ripple.
By law the NSA is allowed to spy on foreign communications without
warrant or congressional oversight. Indeed, it is one of the most
secretive agencies of the U.S. government, whose existence wasn't even
publicly acknowledged until the mid-1960s. However, it is forbidden to
get involved in domestic affairs.
During the hearing Sen. Sam Nunn (D-Ga.) asked Gorelick if the President
had the "the constitutional authority to override statutes where the
basic security of the country is at stake?" He then laid out a
scenario: "Let's say a whole part of the country is, in effect,
freezing to death in the middle of the winter [because a power grid has
been destroyed] and you believe it's domestic source, but you can't
trace it, because the FBI doesn't have the capability. What do you do?"
Gorelick replied that: "Well, one thing you could do -- let me say
this, one thing you could do is you could detail resources from the
intelligence community to the law enforcement community. That is, if
it's under -- if it's -- if you're talking about a technological
capability, we have done that." And then she mentioned that the NSA
had been called on to help crack some encrypted data.
But no one caught the significance of Gorelick's' statements. Instead,
the press focused on another proposal she outlined, the creation of what
amounts to a "Manhattan Project" to help thwart the threat of
information warfare. "What we need, then, is the equivalent of the
'Manhattan Project' for infrastructure protection, a cooperative venture
between the government and private sector to put our best minds together
to come up with workable solutions to one of our most difficult
challenges,'' Gorelick told Congress. Just a day earlier, President
Clinton had signed an executive order creating a blue-ribbon panel, made
up of several agencies, including the Justice Department, the CIA, the
Pentagon and the NSA and representatives of the private sector.
Though the press missed the news that day; the intelligence agency
shivered. When I began investigating Gorelick's statement, all I got
were muffled grumbling. I called an NSA official at home for comments.
"Oh shit," he said, and then silence. "Can you elaborate a bit on that
statement?" I asked, trying to stifle a chuckle. "I think my comment
says it all," he said and abruptly hung up the phone.
Plumbing several sources within the FBI drew little more insight. One
source did acknowledge that the Bureau had used the NSA to crack some
encrypted data "in a handful of instances," but he declined to
elaborate.
Was the Justice Department acting illegally by pulling the NSA into
domestic work? Gorelick was asked by Sen. Nunn if the FBI had the
legal authority to call on the NSA to do code-breaking work. "We have
authority right now to ask for assistance where we think that there
might be a threat to the national security," she replied. But her
answer was "soft." She continued: "If we know for certain that there
is a -- that this is a non-national security criminal threat, the
authority is much more questionable." Questionable, yes, but averted?
No.
If Gorelick's answers seem coy, maybe it's because her public statements
are at odds with one another. A month or so before her congressional
bombshell, she revealed the plans for the information age"Manhattan
Project" in a speech. In a story for Upside magazine, by
old-line investigative reporter Lew Koch, where he broke the story,
Gorelick whines in her speech about law enforcement going through "all
that effort" to obtain warrants to search for evidence only to find a
child pornography had computer files "encrypted with DES" that don't
have a key held in escrow. "Dead end for us," Gorelick says. "Is this
really the type of constraint we want? Unfortunately, this is not an
imaginary scenario. The problem is real."
All the while, Gorelick knew, as she would later admit to Congress, that
the FBI had, in fact, called the NSA to help break codes.
An intelligence industry insider said the NSA involvement is legal.
"What makes it legal probably is that when [the NSA] does that work
they're really subject to all the constraints that law enforcement is
subject to." This source went on to explain that if the FBI used any
evidence obtained from the NSA's code-breaking work to make it's case in
court, the defense attorney could, under oath, ask the NSA to "explain
fully" how it managed to crack the codes. "If I were advising NSA today
I would say, there is a substantial risk that [a defense attorney] is
going to make [the NSA] describe their methods," he said. "Which means
it's very difficult for the NSA to do its best stuff in criminal cases
because of that risk."
Some 20 years ago, Sen. Frank Church, then chairman of the Senate
Intelligence Committee, warned of getting the NSA involved in domestic
affairs, after investigating the agency for illegal acts. He said the
"potential to violate the privacy of Americans is unmatched by any other
intelligence agency." If the resources of the NSA were ever used
domestically, "no American would have any privacy left . . . There would
be no place to hide," he said. "We must see to it that this agency and
all agencies that possess this technology operate within the law and
under proper supervision, so that we never cross over that abyss. That
is an abyss from which there is no return," he said.
And yet, the Clinton Administration has already laid the groundwork for
such "mission creep" to take place, with the forming of this "Manhattan
Project."
But if the Justice Department can tap the NSA at will -- a position of
questionable legality that hasn't been fully aired in public debate --
why play such hardball on the key escrow encryption issue?
Simple answer: Key escrow is an easier route. As my intelligence
community source pointed out, bringing the NSA into the mix causes
problems when a case goes to court. Better to have them work in the
background, unseen and without oversight, the Administration feels. With
key escrow in place, there are few legal issues to hurdle.
In the meantime, the Justice Department has started the NSA down the
road to crypto mission creep. It could be a road of no return.
Meeks out...
[=-------------------------------------------------------------------------=]
title: Hacker posts nudes on court's Web pages
author: Rob Chepak
source: The Tampa Tribune
TALLAHASSEE - The Internet home of the Florida Supreme Court isn't
the kind of place you'd expect to find nudity.
But that's what happened Wednesday morning when a judge in
Tallahassee found a pornographic photo while he was looking for the latest
legal news.
A computer hacker broke into the high court's cyberhome, placing at
least three pornographic photos and a stream of obscenities on its Web pages.
``All I looked at was the one picture, then I checked with the
court,'' said a surprised Charles Kahn Jr., a 1st District Court of Appeal
judge.
The altered pages were immediately turned off. The Florida Department
of Law Enforcement is investigating the incident and the U.S. Justice
Department has been contacted. The hacker didn't tamper with any official
records, court officials said.
``We've got three photos and we're looking for more,'' said Craig
Waters, executive assistant to Chief Justice Gerald Kogan. The culprit
``could be anyone from someone in the building to the other side of
the world.''
[* I bet they are looking for more.. *]
The Florida Court's Web site is used to post information about court
opinions, state law and legal aid. Thousands of people, including children,
use the court system's more than 500 Internet pages each month, Waters said.
The court and other state agencies usually keep their most vital
information on separate computers that can't be accessed on the Internet.
Officials aren't sure how the culprit broke in, and FDLE had no
suspects Thursday afternoon. But court officials long have suspected their
Web site could be a target for hackers armed with the computer equipment to
impose photos on the Web. The Florida Supreme Court became the first state
Supreme Court in the nation to create its own Internet pages two years ago.
While the episode sounds like a well-crafted high school prank,
computer hackers are becoming a big problem for government agencies, which
increasingly are finding themselves the victims of criminal tampering on
the Internet. In August, someone placed swastikas and topless pictures of
a TV star on the U.S.
Department of Justice's home page. The Central Intelligence Agency
has been victimized, too.
``It's certainly a common problem,'' said P.J. Ponder, a lawyer for
the Information Resource Commission, which coordinates the state
government's computer networks. However, there are no statistics on
incidences of tampering with state computers.
The best way for anyone to minimize damage by computer hackers is by
leaving vital information off the Internet, said Douglas Smith, a consultant
for the resource commission. Most state agencies follow that advice, he added.
``I think you have to weigh the value of security vs. the value of
the information you keep there,'' he said.
Court officials would not reveal details of the sexually explicit
photos Thursday, but Liz Hirst, an FDLE spokeswoman, said none were of
children.
Penalties for computer tampering include a $5,000 fine and five
years in jail, but the punishment is much higher if it involves child
pornography, she said.
Without a clear motive or obvious physical evidence, FDLE
investigators, who also investigate child pornography on the Internet,
hope to retrace the culprit's steps in cyberspace. However, Ponder said
cases of Internet tampering are ``very difficult to solve.''
Thursday, the state's top legal minds, who are used to handing out
justice, seemed unaccustomed to being cast as victims.
``No damage was done,'' Kogan said in a statement. ``But this
episode did send a message that there was a flaw in our security that we
now are fixing.''
[* I tell you (and other agencies) I do security consulting!! Please?! *]
[=-------------------------------------------------------------------------=]
title: Hacking Into Piracy
source: The Telegraph
22nd October 1996
Computer crime investigators are using the techniques of their
adversaries to crack down on illegally traded software. Michael
McCormack reports.
The adage "Set a thief to catch a thief" is being updated for the
electronic age as online investigators use hackers' techniques to fight
a thriving trade in counterfeit and pirate software that is reckoned to
cost British program-makers more than 3 billion a year.
"Jason", a computer crime investigator employed by Novell to shut down
bulletin boards that trade pirate copies of its software, leads a
confusing double life. First he spends weeks in his office, surfing the
Internet and wheedling secrets from hackers around Europe; then he
compiles dossiers of evidence on the system operators who deal in Novell
wares, flies to their bases, presents the local police with his reports,
and accompanies them on the inevitable raid.
"Every day I'm on IRC [the Internet's chat lines, where information can
be exchanged quickly and relatively anonymously] looking for tips on new
bulletin boards that might have Novell products on them," he says.
"Our policy has been to go country by country through Europe and try to
take down the biggest boards in each one"
"It tends to be the biggest boards that have our products, and those can
be difficult to get on to. The operators have invested a lot of time and
cash in setting them up and they're sometimes quite careful who they'll
let on. I often start by joining dozens of little boards in the area to
get myself a good reputation, which I can use as a reference to get on
to the big board.
"Our policy has been to go country by country through Europe and try to
take down the biggest boards in each one. That has a chilling effect on
the other operators. They think, 'If he could get caught, I'm doomed.'
Within days of us taking down a big board, Novell products disappear off
the smaller ones."
Once Jason gains entry to a big board, the game begins in earnest:
"Bulletin boards work on the principle that if you want to take
something off, you first have to put something in. Obviously I can't put
in Novell's products, or any other company's; instead, we use a program
we wrote ourselves. It's huge, and it has an impressive front end full
of colour screen indicators and menus. It doesn't actually do anything
but it looks impressive and it lets you start pulling things off the
site."
Once Jason finds company products on a board, he makes a video of
himself logging on and retrieving a copy of the software.
[* Talk about freako bizarre narc fetishes.. *]
Bulletin boards often have restricted areas closed to all but a few
trusted members, and these are where the most illegal products - such as
expensive business or word-processing packages copied from beta releases
or pirate disks - are kept. Penetrating these areas takes a skill
learned from the hackers. "It's called social engineering," says Jason.
"It just means chatting up the operator until he decides to trust you
with the goodies."
Once Jason finds company products on a board, he makes a video of
himself logging on and retrieving a copy of the software. Then it's on
to a plane to go and lodge a complaint with the local police.
He is helped by Simon Swale, a fellow Novell investigator and former
Metropolitan Police detective who uses his experience of international
police procedures and culture to ensure that foreign forces get all the
technical help they need.
In the past six months, Jason's investigations have shut down seven
bulletin boards across Europe, recovering software valued at more than
500,000. The company reckons the closed boards would have cost it more
than 2.5 million in lost sales over the next year.
Jason has vivid memories of the early-morning raid on the operator's
house.
One of the Jason's biggest successes came earlier this year in Antwerp,
when he guided Belgian police to the Genesis bulletin board, which held
more than 45,000 worth of Novell products and a slew of other pirate
software. Jason has vivid memories of the early-morning raid on the
operator's house: "The first thing he said was, 'I have nothing illegal
on my system.' So I set up my laptop and mobile and dialled into it from
his kitchen. All the police watched as I tapped into my keyboard and
everything popped up on his screen across the room. I went straight
in to the Novell stuff and he said, 'Okay, maybe I have a little'."
The system operator, Jean-Louis Piret, reached a six-figure out-of-court
settlement with Novell. More importantly for the company, its products
have all but disappeared from Belgium's boards in the wake of the raid.
There are, however, many more fish to fry. Jason already has another
three raids lined up for autumn . . .
[=-------------------------------------------------------------------------=]
title: Revealing Intel's Secrets
The Intel's Secrets site may not be around for long if Intel has anything
to say about it. The site provides a look at details, flaws, and programming
tips that the giant chip manufacturer would rather not share with the general
public. One particular page exposes some unflattering clitches of the P6
chip and a bug in the Intel486 chip. The site even has two separate hit
counters: one for the average visitor, and one that counts the number of
times Intel has stopped by.
[=-------------------------------------------------------------------------=]
title: Internet Boom Puts Home PCs At Risk Of Hackers
author: Nick Nuttall
source: The London Times
18th October 1996
Home computers, which carry everything from private banking details to
love letters, are becoming vulnerable to hackers as more households
connect to the Internet.
The boom in electronic services is making the home PC as open to attack
as company and government systems, a survey of hackers has disclosed.
The Internet is also helping hackers to become more skilful as they
exchange tips and computer programs around the globe.
[* Survey of hackers?! Bullshit. *]
A spokesman for Kinross and Render, which carried out the survey for
Computacenter, said: "Breaking into home computers is now increasingly
possible and of great interest to hackers. It may be a famous person's
computer, like Tony Blair's or a sports personality. Equally it could be
yours or my computer carrying personal details which they could use for
blackmailing."
Passwords remain easy to break despite warnings about intrusion.
Companies and individuals frequently use simple name passwords such as
Hill for Damon Hill or Blair for the Labour leader. Hackers also said
that many users had failed to replace the manufacturer's password with
their own.
Hackers often use programs, downloaded from the Internet, which will
automatically generate thousands of likely passwords. These are called
Crackers and have names such as Satan or Death.
[* Satan? Death? Ahhhh! *]
John Perkins, of the National Computing Centre in Manchester, said
yesterday: "The linking of company and now home computers to the
global networks is making an expanding market for the hackers." The
Computacenter survey was based on interviews with more than 130
hackers, supplemented by interviews over the Internet. The average
hacker is 23, male and a university student. At least one of those
questioned began hacking ten years ago, when he was eight.
[* No offense to anyone out there, but how in the hell could they
validate any claims in a survey like that? And especially with
that amount? *]
Most said it was getting easier, rather than harder, to break in and
many hackers would relish tighter computer security because this would
increase the challenge. Existing laws are held in contempt and almost 80
per cent said tougher laws and more prosecutions would not be a
deterrent. Eighty-five per cent of those questioned had never been
caught.
Most said the attraction of hacking lay in the challenge, but a hard
core were keen to sabotage computer files and cause chaos, while others
hoped to commit fraud.
[* Excuse me while I vomit. *]
[=-------------------------------------------------------------------------=]
title: Computer hacker Mitnick pleads innocent
September 30, 1996
LOS ANGELES (AP) -- The notorious computer hacker Kevin Mitnick pleaded
innocent Monday to charges he mounted a multimillion-dollar crime wave
in cyberspace during 2 1/2 years as a fugitive.
Mitnick, 33, held without bail on a fraud conviction, told the judge
not to bother reading the indictment, which includes 25 new counts of
computer and wire fraud, possessing unlawful access devices, damaging
computers and intercepting electronic messages.
"Not guilty," Mitnick said. His indictment, handed up Friday by a
federal grand jury, follows an investigation by a national task force
of FBI, NASA and federal prosecutors with high-tech expertise.
It charges Mitnick with using stolen computer passwords, damaging
University of Southern California computers and stealing software
valued at millions of dollars from technology companies, including
Novell, Motorola, Nokia, Fujitsu and NEC.
...........
Mitnick pleaded guilty in April to a North Carolina fraud charge of
using 15 stolen phone numbers to dial into computer databases.
Prosecutors then dropped 22 other fraud charges but warned that new
charges could follow.
Mitnick also admitted violating probation for a 1988 conviction in Los
Angeles where he served a year in jail for breaking into computers at
Digital Equipment Corp. At 16, he served six months in a youth center
for stealing computer manuals from a Pacific Bell switching center.
Mitnick also got a new lawyer Monday, Donald C. Randolph, who
represented Charles Keating Jr.'s top aide, Judy J. Wischer, in the
Lincoln Savings swindle.
[=-------------------------------------------------------------------------=]
title: Hackers Destroy Evidence of Gulf War Chemical/Biological Weapons
source: WesNet News
Saturday, Nov. 2, 5:00 p.m.
WASHINGTON DC -- Hackers broke into a Web site (http://insigniausa.com)
containing suppressed evidence of Gulf War chemical and biological weapons
Friday, erasing all files.
"Someone hacked in Friday around 4 p.m. and completely trashed our
machine," said Kenneth Weaver, webmaster of W3 Concepts, Inc.
(http://ns.w3concepts.com) of Poolesville, Maryland (a suburb of Washington
D.C.), which houses the site.
The Web site contained recently-released supressed Department of Defense
documents exposing biological and chemical warfare materials that U.S.
companies allegedly provided to Iraq before the war.
Bruce Klett, publisher, Insignia Publishing said they are now restoring the
files. "We plan to be operational again Saturday evening or Sunday," he
said. "We encourage anyone to copy these files and distribute them." There
are over 300 files, requiring 50 MB of disk space.
The Department of Defense has its own version of these files on its
Gulflink Web site (http://www.dtic.dla.mil/gulflink/).
Insignia plans to publish Gassed In the Gulf, a book on the government's
coverup by former CIA analyst Patrick Eddington, in six to eight weeks,
Klett added.
Hackers also brought down SNETNEWS and IUFO, Internet mailing lists
covering conspiracies and UFOs, on Oct. 25, according to list administrator
Steve Wingate. He plans to move the lists to another Internet service
provider be be back in operation soon.
"We've seen this happen regularly when we get too close to sensitive
subjects," Wingate said. "The election is Tuesday. This is a factor."
He also said a "quiet" helicopter buzzed and illuminated his Marin County
house and car Thursday night for several minutes.
[=-------------------------------------------------------------------------=]
title: Criminals Slip Through The Net
source: The Telegraph, London
5th November 1996
Britain is way behind in the fight against computer crime and it's time
to take it seriously, reports Michael McCormack
BRITAIN'S police forces are lagging behind the rest of the world in
combating computer crime, according to one of the country's most
experienced computer investigators - who has just returned to walking
the beat.
Police Constable John Thackray, of the South Yorkshire Police, reached
this grim conclusion after a three-month tour of the world's leading
computer crime units, sponsored by the Winston Churchill Memorial Trust.
All of the five countries he studied, he says, are putting Britain's
efforts against electronic crime to shame.
"The level of education and understanding of computer crime is far more
advanced outside Britain," said Thackray.
"Here, police forces are shying away from even attempting to investigate
computer crimes. You see experienced detectives who lose all interest in
pursuing cases where there are computers involved.
"We know that computer crime, particularly software piracy, is closely
connected with organised crime - they like the high profits and the low
risk - but those connections aren't followed up."
He adds:"We are far behind our own criminals on these matters. We only
catch them when they get complacent and keep using old technology and
old methods. If they simply keep up with current technology, they are so
far ahead they are safe." Thackray was one of the officers responsible
for closing down one of the largest pirate bulletin boards in the
country, estimated to have stolen software worth thousands last year and
has assisted officers from other forces in several similar cases.
Pirates recently named a new offering of bootleg software "Thackray1 and
2" in his honour.
He has seen how seriously such crimes are taken by police forces abroad:
"In America there are specialist units in every state and a similar
system is being put in place in Australia. There's nothing nearly as
comprehensive in in Britain.
"We have the Computer Crimes Unit at Scotland Yard and a small forensic
team at Greater Manchester, but they're both badly under-resourced and
there's little interest in, or support for, investigating computer
crimes in other forces.
"Our officers must get a better education, to start with, on what
computer crime is, how it works and who is being hurt by it. We need to
bury the impression that this is a victimless crime with no serious
consequences."
Thackray is preparing a report on his impressions of anti-crime
initiatives in other countries and what must be done in Britain to equal
them. "In my view, we need specially detailed officers who are educated
in computer crime issues.
"We also need to become much more pro-active in our approach. It's not
good enough to sit back and wait for the complaints."
But perhaps symptomatic of Britain's efforts is the way Thackray's
valuable experience is being used. He is putting away his laptop and
getting out his boots.
"I'm now being moved back into uniform. The two year experience I have
gained in investigating these matters is not going to be used to its
full potential."
"We pride ourselves on being an effective police service in Britain, and
other countries look up to us. But when it comes to computer crime, we
have to start following their lead."
-EOF